Researcher Spots New Tricks in Web Payment Card Skimmers

E-commerce sites have been under siege from cybercriminals who seek to sneak malicious code into checkout processes. A researcher has found two new methods that payment card number thieves are using to try to stay under the radar.

The attackers are sometimes referred to as Magecart, a name for a slew of groups that steal payment card numbers. These attackers often capitalize on vulnerabilities in e-commerce software or other security mistakes that allow for the injection of malicious Javacript, dubbed sniffers or skimmers (see: Magecart Cybercrime Groups Harvest Payment Card Data).

One of those newly employed methods is steganography, which involves hiding code in something that appears to be benign, such as an image file.

A Twitter user, @affablekraut, recently disclosed the discovery of a credit card skimmer disguised as an image, writes Jerome Segura, director of threat intelligence at Malwarebytes.

"To the naked eye, the image looks like a typical free shipping ribbon that you commonly see on shopping sites," Segura writes in a blog post.

An image that contained skimming code (Source: Malwarebytes)

@Affablekraut tweets that the malicious image was discovered using Strelka, a container-based file scanning tool that grew out of Lockheed Martin's Laika Boss scanner.

The malicious JavaScript is appended at the end of the image file, Segura writes. The image gets loaded, then the JavaScript is parsed using the slice() method. The malicious code is visible in a hex editor.

There's a big advantage to using steganography, Segura writes. "As it happens, the majority of web crawlers and scanners will concentrate on HTML and JavaScript files, and often ignore media files, which tend to be large and slow down processing. What better place to sneak in some code?"

WebSocket: Covert Data Stealing

The second new method - also found by @affablekraut - involves using the WebSocket protocol for communication rather than HTTP, Segura writes.

"While WebSockets are advantageous for real-time data transfer, this is not the reason threat actors may be interested in them," he writes. "For their particular use case, WebSockets provide a more covert way to exchange data than typical HTTP requests-responses."

The aim is to keep a channel open with a remote server that's difficult to detect. Segura writes that once a WebSocket connection has been made, a Base64 encoded blurb is pushed to the client, which is then processed as JavaScript and represents the skimming code. Then, the data is exfiltrated.

"The techniques described in this blog will no doubt cause headaches for defenders and give some threat actors additional time to carry on their activities without being disturbed," Segura writes. "But as mentioned before, this kind of cat-and-mouse game was to be expected in the light of regular new publications on Magecart and web skimmers."

@Affablekraut tweets that the best way to defeat a websocket skimmer is to adjust the connect-src setting within the Content Security Policy, or CSP, for a web page. That feature can be used to restrict which URLs can be loaded using script interfaces.

Also, not trying to hide anything but I did obscure the affected store. If you have a need to see this live, DM me.

The method to stop this attack: CSP. The connect-src setting in CSPs governs what websockets can connect to. So review your CSPs!

Magecart: Never Gives Up

Magecart is believed to encompass as many as 12 criminal groups. The attackers steal payment card data and then sell it on dark web marketplaces for other criminals to exploit. Experts believe hundreds of thousands of websites have been infected (see: Magecart Nightmare Besets E-Commerce Websites).

Over the last few years, Magecart has struck big-name companies, including British Airways, Newegg and Ticketmaster. The infection of British Airways led to one of the most significant enforcement actions against a company under Europe's General Data Protection Regulation.

Britain's Information Commissioner's Office said in July it intended to fine British Airways &pound184 million ($240 million) under GDPR. In the attack, the personal data of 500,000 customers was exposed as a result of what the ICO said were poor security practices (see: British Airways Faces Record-Setting $230 Million GDPR Fine).

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;